New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I really need a free weekend to set all this up, the amount of passwords I share between sites is ludicrous.
I did the transition gradually - every time I logged in to a non-migrated site, password change -> save to KeePass
If you have nothing to hide, you don't need passwords.
ai ai ... and plain text passwords
I wouldn't recommend the paid ones. You typically have to trust them to some degree, especially the web-based and 'synchronizing' ones. KeePass/KeePassX are known to be good, are open-source (so you can audit them), and don't have any possible conflicts of interest.
The only drawback is that there are some caveats to synchronizing
.kdbxfiles between devices - you can't modify them in two places at the same time. This pretty much comes with the territory, though, and if a service claims to not have that problem, then that is very likely to point at a security issue.Yep. KeePassX generates them for me (it has a generate button), so I just add a new password for every service, and then Ctrl+C them whenever I need them - this copies them to the clipboard, and removes them from the clipboard again after a few seconds.
I do this even for throwaway accounts, and it isn't as inconvenient as some claim
Yes, I have different passwords for (almost) all accounts, strong ones too, and the important ones cycle regularly. But in my experience most people don't in my experience and while they need a smack over the back of the head with the clue stick too, "security in depth" is a key protection mechanism and anyone storing passwords insecurely is completely failing at basic due diligence.
Going from "recommended practices" to "criminal offense" is a grave leap of logic, hence my comment.
I haven't even got as far as setting up KeePass (or anything new else beyond somehow having 1Password on my phone), that's what I need to set aside time for.
Yes. Every site. Save them in the app - KeePass or a paid product. Whatever works for you.
As others have recommended, you can update each website, encrypted drive, etc. as you open them. You do not have to do it all at once. Think about taking a little time to do the high value targets first - banking websites, social media, whatever can be monetized.
Use the password manager product to generate long, strong, unique random passwords. Because you do not have to remember them, you can include upper case, lower case, numbers, and symbols. Use a good mix. Mine are 20 characters long, although some sites will not allow that many.
Keep a good backup of your password database in case your primary computer crashes. Make sure someone you trust can get to the backup and unlock it in case something unexpected happens to you. (...and make sure that trusted person is not likely to be affected by the same unexpected happening at the same time as you.)
Disregard friends, acquire SpiderOak.
this tell us one thing
Never use same passwords on every account you make.
Use deferent Email to every new account .
Your two steps verification to all your financial accounts (banks,Paypal,Adsense..etc).
for Free services use dumped email that you sign in once a year .
Free web hosting*
Another EIG host - that alone should explain it
Damn, I've got a several breach noticed by Microsoft in early October, happened in China. No wonder curious if these happens link up.
keepass doesnt seem to have an included backup db to cloud option, will save the database in dropbox folder?
If you mean storing the database file in dropbox and accessing it from dropbox on your devices then this is a good idea provided you don't edit at the same time across multiple devices as explained previously.
As for backups, storing in the dropbox folder looks like your only option e.g. http://www.geeksengine.com/article/keepass-3.html
>
Sorry, but please explain. Disregard what?
You don't need a friend for your "holy shit" scenario - instead use this: https://spideroak.com
All you need to remember is a single password and you're set. No need to rely on anyone this way.
The friend scenario is handy if you're no longer alive.
Or go for Tresorit if you're allergic to US providers for any reason. Oddly everyone reports them as not giving free space out now but I got a basic plan with 3GB included which I was able to top up to 5GB by using some of the features. The only limitation on the basic plan seems to be you can only have 3 top-level folders.
Maybe a civil offence with a fine structure would be more palatable?
I'm not looking at it from a "recommended practices" frame though. IMO basic security is an absolute requirement not a recommendation, so this is a "due diligence" and "duty of care" issue.
Insufficient security is potentially putting your users, and in some circumstances the general public, at unnecessary risk in the name of cutting your own costs. We want bankers properly punished for putting our money at unnecessary risk for their own gain, why not service providers for putting our data and identities at risk?
An e-mail address is not secret information.
Huh? Since when are they part of EIG?
That's correct. KeePass is purely a piece of software, not a service. You can decide where you store your database file. That's a good thing
Generally, anything that ends in "to cloud" should be considered insecure until proven otherwise. In 99.99% of cases, it simply means "on somebody elses computer, but you don't know which" - a great way to lose data (or, in some cases, even get it compromised).
Already sort of happening. Soon, the Dutch equivalent of the Data Protection Authority can fine operators for:
How well it works remains to be seen, but things are happening on that front, at least.
Fully agreed. Security only seems 'optional' if you're trying to cheap out, with disregard for others. It's no less essential than a civil engineer ensuring their bridge structure won't collapse during rush hour.
Hello, guys,
At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of Internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.
At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re enable access to affected systems after an investigation and once all security issues have been resolved. Our users sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities once our internal investigation has been completed. We advise our customers to change their passwords and use different passwords for other services.
We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally we are going to upgrade our systems in a close future. We hope we get back the service to our users soon.
Our other services such as Hosting24 and Hostinger are not affected by this security flaw.
For a more information you can contact us by [email protected]
Sincerely,
000webhost.com
Yawn. I expected a copy paste response, but google hasn't indexed this block of text elsewhere yet.
Just found out my email is on the list
My email is 3 lists, but I don't know 2 companies... wtf, why do they have my email?
Why doesn't CVPS and alike dbs aren't there?
Is the site maintainer selling those emails?
Not secret, but it is potentially sensitive information when combined with other data, just like a phone number or physical address. Even ignoring that just because it isn't secret doesn't mean you necessarily want it being a valid address to be know by every man, his dog, and its' flees. My use of different addresses for everything is more a spam mitigation measure than an identity or data protection one.
Looks like SpiderOak in Switzerland. Cool. It seems like only thing you can get for free is 14 or 30 day trial, which kinda sucks. I'd be happy even with 1GB. Do you have an ability to invite or something, that could possibly give a permanent free account?